Hi Friends ,
We have to create a multisite indexer clustering environment where Site 1 & Site 2 both will have 2 indexers at each site, overall 4 indexers. Overall 1 Search head will be there with a standby search head. Now I have two questions regarding the same.
While Configuring outputs.conf of the universal forwarder, I want the logs of all the servers at site 1 must only go to site 1 indexers(in HA) and in case of both the indexers fails at site 1 logs should go to the 2 indexers of site 2 . What would be the configuration of site. If I use Auto load balancing and mention all 4 indexers in "server = indexer1:9997,indexer2:9997,Indexer3:9997,indexer4:9997" this will distribute logs in all of them. How could I use TCP_Routing in this scenario and what would be the outputs.conf file final configuration?
To enable multisite clustering between Site1 & Site 2, what would be the server.conf file stanzas in the indexers of site1 & Site 2 ?
Thanks in advance ..
Overview about multisite clustering and sample configuration can be found here
http://docs.splunk.com/Documentation/Splunk/6.2.3/Indexer/Multisiteconffile
Regarding, forwarders switching to different sites, the procedure is manual for now.
Hi Mahamed ,
Thanks for your response .
For forwarder switching should we go for auto load balancing then ?
What would be the ideal output.conf config of the universal forwarder ?